Where did that email actually come from?

Posted on by ccsretail

Mail - Send.pngIn today’s world of spam and phishing, it can be very useful to be able to find out where an email actually came from.  Just because it says that it is from “someone@domain.com”, does not mean that is who sent it.  Nor, does it even mean that it came from anyone at “domain.com”.

What can not be faked, however, is the delivery trace.  All emails contain headers that log the date, time, and IP address, for every computer that had a hand in delivering that email.  From the originator, to their mail server, to the next server, and so on until it arrives at your mailbox.

The trick is to get to and interpret those headers.  Each email client differs in the manner that you get to these headers.  In Outlook (depending on the version), you right-click on the message and select “Options”.  In Eudora, you click the “BLAH-BLAH” button,  Sometimes getting to the headers is the hardest part.

Assuming you have been able to see the mail headers, what are you looking for?  The “received” headers.  The following is an example of a “received” header (with some data obscured for security reasons):

    Received: from mailserver.domain.com (resolved.name.of.server [192.168.1.1])
            by mailserver.somedomain.com (8.14.8/8.14.7) with ESMTP id s4TEU1RO007434
            for ; Thu, 29 May 2014 07:30:02 -0700

This received line is one in the middle.  The relevant information is

    The message was received from “mailserver.domain.com.  More importantly, the IP address of that machine is 192.168.1.1
    The machine that received the message at this step, was mailserver.somedomain.com

So with that, you have the sending and receiving machine at each hop that the mail took.  Usually, these received headers are in reverse order, with the latest at the top, and earlier ones below.  So you start with the last received header, and that usually identifies the machine that actually sent the email.  Then, the received line above that is the next hop and so on.  If the email originated inside a private network, you may have to check a few received lines, until you get one that has a public IP address.  

Once you have a public IP address, then it is a matter of identifying where that address actually is.  There are several tools for this available on the internet.

Dave.